Coordinating action systems

Theoretical Computer Science 240 (2000) 91–115

www.elsevier.com/locate/tcs

Coordinating action systems Eric J. Hedman a , Joost N. Kok b , Kaisa Sere a;∗  Akademi University, Centre for Computer Science, Department of Computer Science, Abo  Lemminkainengatan 14, FIN-20520 Abo, Finland b Leiden Institute of Advanced Computer Science, Leiden University, P.O. Box 9512, 2300 RA Leiden, Netherlands

a Turku

Abstract We develop an action systems-based approach that supports the separation of the design of the functional or computation aspects of a system under construction from the coordination and synchronization issues. The computation aspects are modeled as nondeterministic actions that work in parallel with the coordination actions, which impose some control on the nondeterministic part. We de ne a special form of action systems that models this type of coordination activity. Certain forms of real-time scheduling and coordination as well as exception handling are shown to be special cases of our approach. We show how the coordinators can be stepwise brought about from a high-level speci cation of the target system and how the reasoning about their behaviors is carried out separately from the computation aspects of the system within the re nement calculus. c 2000 Elsevier Science B.V. All rights reserved.

Keywords: Coordination; Action systems; Re nement; Scheduling; Distributed systems

1. Introduction Recently, several languages and models for coordinating the work of independent agents have been proposed in the literature [11]. Many researchers have designed dedicated languages for coordination, separate from the language to model computation [14, 17]. For Gamma programs [8] for instance a construct called scheduler is introduced [13]. The purpose of a scheduler is to restrict the nondeterminism present in a Gamma program. Another construct is the RTsynchronizer [24]. An RTsynchronizer is a special form of an actor [1]. It does not, however, send or receive messages as normal actors do. Instead it enforces constraints on the ordering of message invocations of groups of actors and in this way coordinates the activities of the actors. Often there have been diculties in incorporating the new constructs into a formal framework. ∗

Corresponding author. E-mail addresses: Eric.Hedman@abo. Kaisa.Sere@abo. (K. Sere).

(E.J.

Hedman),

[email protected]

c 2000 Elsevier Science B.V. All rights reserved. 0304-3975/00/$ - see front matter PII: S 0 3 0 4 - 3 9 7 5 ( 9 9 ) 0 0 2 2 8 - 5

(J.N.

Kok),

92

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

For example, there is no formal semantics given to the RTsynchronizers neither do they come with a methodology to reason about them or develop systems that involve them. For the Gamma approach, a separate framework is introduced for reasoning about the schedulers. The main contribution of this paper is to show how coordination can be modeled within an existing formal framework where both computation and coordination aspects are treated equally and uniformly. We formalize our ideas within the action systems formalism. The action systems formalism [4] is a state-based approach to distributed computing. A set of guarded actions share some state variables and may act on those variables. The two main development techniques we use on action systems are re nement and prioritized decomposition. Re nement allows us to replace abstract state variables with more concrete representations such that the behavior of the re ned action system satis es the behavior of the abstract action system. The recently introduced prioritizing composition between actions and action systems [25] turns out to be a convenient way of expressing coordination policies. Additionally, parallel decomposition allows us to split an action system into parallel sub-systems by partitioning the state variables and actions. Action systems are related to the UNITY programs of Chandy and Misra [12]. Reasoning about UNITY programs is done within an associated temporal logic. This relies heavily on the underlying fairness assumption in the execution model. No such assumptions are made for action systems. Gamma and Swarm [15] programs also work on a set of actions that are intended to be executed in a nondeterministic fashion. At rst sight the philosophy behind design approaches like UNITY and action systems does not seem to support the coordination paradigm with its separation of computation from coordination. However, we will show that the formalisms as such are suitable as basis for coordination languages with their sets of nondeterministic actions. Mobile UNITY [20] is a recent extension of UNITY towards such a language where one of the key features is the coordination of mobile, autonomous agents. This aspect is taken care of by introducing a new section with associated proof rules into the UNITY framework. In this paper we show that within the action systems framework we can de ne a special form of action systems that models a coordinator. Moreover, we propose several ways to do the separation between computation and coordination. Within action systems we can model several coordination patterns within the systems themselves. For example, synchronous communication can be done via procedure calls and asynchronous communication via properly chosen shared variables. However, we do not have a separate coordination language in the style of Linda [11] or MANIFOLD [2]. We stay within the action systems formalism. This has its advantages as no new theory is needed, but it does not give a clean separation of concepts automatically. This has to be enforced by the designer. The design and reasoning about action systems is carried out within the re nement calculus [3, 5, 21, 22]. We show how the coordination part can be stepwise developed from a high-level task description of a system within this calculus. The advantage we gain is that we are able to reason in a structured way about the two aspects,

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

93

functionality and coordination, within the same framework. Moreover, we can develop and re ne these two lines independently of each other due to the compositionality of our (de-)composition operators. As examples we study a set of typical coordination problems from the literature, where the coordinators impose some particular scheduling mechanisms onto the otherwise independent and nondeterministic agents. This paper extends our previous work on coordination [18] into several directions. Earlier we showed how a typical communication medium for coordination, the tuple space, is added into a UNITY like language, ImpUNITY [28], and how this form of communication is used with a UNITY style re nement. Here we extend this by considering coordination as a language construct and propose a general strategy to derive coordinators. The only composition operator de ned for ImpUNITY programs is the union operator which corresponds to our parallel composition operator. In this paper we focus on the prioritized composition and consider data re nement [7] as our main re nement technique. We do give a number of re nement rules for introducing and reasoning about coordination, but our main contribution is in proposing ways in which coordinators can be modeled as action systems. Overview. We proceed as follows. In Section 2 we describe the action systems formalism and the operators needed to model coordination. In Section 3, the coordination aspects of an action system are developed. In Section 4, the re nement calculus for action systems is brie y described. Special emphasis is put on the compositionality aspects. Section 5 describes how action system coordinators are developed in a stepwise manner within the re nement calculus. We end in Section 6 with some concluding remarks. 2. Action systems An action system is a set of actions operating on local and global variables: A = b |[ var y∗ ; x := y0; x0; proc p1∗ = P1 ; : : : ; pn∗ = Pn ; q1 = Q1 ; : : : ; ql = Ql ; do A1 : : : Am od ]| : z; r: The action system A describes a computation, in which the local variables x and the exported global variables y, marked with an asterisk ∗ and distinct from x, are rst created and initialized to x0 and y0, respectively. Then repeatedly any of the enabled actions A1 ; : : : ; An is nondeterministically selected for execution. The computation terminates if no action is enabled, otherwise it continues in nitely. Actions operating on disjoint sets of variables can be executed in any order or in parallel. The local variables x are only referenced locally in A. The exported global variables, y, on the other hand, can also be referenced by other action systems. The imported

94

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

global variables, z, of A are mentioned in A1 ; : : : ; An , but not declared locally. The identi ers x, y and z are assumed to be pairwise distinct lists of variables. Thus, no redeclaration of variables is permitted. The variables are initialized at declaration time as indicated above in the system A or in a separate initialization statement after their creation. Both ways will be used in this paper. A procedure is declared as p = P with a procedure header p and a procedure body P. In the action system A the procedures p1 : : : pn are declared as exported procedures, also marked with an asterisk ∗, that are called from other action systems, while the procedures q1 : : : ql are declared as local procedures. The procedures imported into A are denoted r. These are called from actions in A, but are declared elsewhere. The names of the local and global procedures are assumed to be distinct. A statement or an action is said to be local to an action system, if it only refers to local variables of the action system. The procedures and actions are allowed to refer to all the state variables of an action system. Furthermore, each procedure and action may have local variables of its own. Actions are taken to be atomic, meaning that only their input–output behavior is of interest. They can be arbitrary sequential statements. Their behavior can therefore be described by the weakest precondition predicate transformer of Dijkstra [16], where wp(A; P) is the weakest precondition such that action A terminates in a state satisfying predicate P. As we are only interested in the input-output behavior of actions, we consider two actions to be equivalent if they always establish the same postcondition: A ≡ B i ∀P : wp(A; P) = wp(B; P) : In addition to the statements considered by Dijkstra, we allow assumptions [Q] and nondeterministic assignments v := v0 :Q, where Q is a predicate, and nondeterministic choice, A B, between the actions A and B. The assumption [Q] can be thought of as stopping execution, if Q does not hold. The nondeterministic assignment v := v0 :Q assigns the value of the expression v0 to the variable v in case the predicate Q(v0 ) holds. If there is no such value, the statement aborts. wp(abort; P)

= b false

wp([Q]; P)

= b Q⇒P

wp(skip; P)

= b P

wp((A B); P)

= b wp(A; P) ∧ wp(B; P)

wp(v := e; P) = b P[v := e] wp((A; B); P) = b wp(A; wp(B; P)) b (∃v0 :Q) ∧ (∀v0 :Q ⇒ P[v := v0 ]) wp(v := v0 :Q; P) = Other operators can also be de ned. The restriction we impose is that all actions are ( nitely) conjunctive, hence excluding angelic nondeterminism [7]: wp(A; P ∧ Q) = wp(A; P) ∧ wp(A; Q) : All of the above operators are conjunctive or preserve conjunctivity. Conjunctivity implies monotonicity: (P ⇒ Q) ⇒ (wp(A; P) ⇒ wp(A; Q)) :

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

95

As the nondeterministic choice A B is included as an operator on actions, we can con ne ourselves to action systems with only a single action. Hence, an action system A is in general of the form: A = b |[ var y∗ ; x := y0; x0; proc p1∗ = P1 ; : : : ; pn∗ = Pn ; q1 = Q1 ; : : : ; ql = Ql ; do A od ]|z; r: 2.1. De nition of procedures Procedure bodies and actions may contain procedure calls. The meaning of a call on a parameterless procedure p = P in a statement S is determined by the substitution principle: S ≡ S[P=p] ; i.e. the body P of procedure p is substituted for each call on this procedure in statement S. If an action contains a call to a procedure, following the substitution principle, both the action and the procedure jointly form a single atomic entity. If a procedure or action contains a call to a procedure that is not declared in the action system, then the behavior of the action system will depend on the way in which the procedures are declared in some other action system, which constitutes the environment of the action system as will be described later. The de nition of procedures (with formal parameters) for action systems is studied in more detail elsewhere [6]. 2.2. Enabledness of an action The actions contain arbitrary program statements. A statement that establishes any postcondition is said to be miraculous. We take the view that a statement S is only enabled in those initial states in which it behaves nonmiraculously, i.e. for which ¬wp(S; false) holds. The guard of a statement characterizes those states for which the statement is enabled: gdS = b ¬wp(S; false) : The statement S is said to be enabled in a given state, when the guard is true in that state. The statement S is said to be always enabled, if wp(S; false) = false (i.e., gdS = true), and always terminating, if wp(S; true) = true. Actions will in general be guarded commands, i.e., statements of the form C = b g→S ;

96

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

where g is a boolean condition and S is a program statement. The guarded statement g → S is de ned using an assumption as follows: g→S = b [g]; S : In this case, the guard of C is g ∧ ¬(S; false). Hence, a guarded statement g → S is only enabled when S is enabled and g holds. Moreover, the nondeterministic choice A B is enabled when either A or B is enabled: gd(A B) = gdA ∨ gdB : The body sC of C is de ned: sC = b gdC → C ¬ gdC → abort : We assume that procedures are always enabled. If additionally the body of each action of an arbitrary action system is always enabled, action systems coincide with the language of guarded commands. Recall that in the original language of guarded commands as discussed by Dijkstra, a guarded command of the form g → S is only allowed to appear as an alternative within an if-statement or a do-loop. Here this restriction is not made. Observe that for our purposes we do not need or want procedures with guards. The reason is that a guarded procedure is not always enabled and hence, a call to such a procedure will be refused by the callee in a state where the guard of the procedure is false. Guarded procedures within action systems are studied by Sere and Walden [26]. 2.3. Prioritized actions The prioritizing composition on actions turns out to be very important when modeling the coordination aspects of a system. Consider two actions A and B. We have that the prioritizing composition de ned as A==B = b A (¬gdA → B) ; selects the rst component A for execution if it is enabled, otherwise B is selected if enabled. The prioritizing composition of A and B is enabled when at least one of the actions is enabled: gd(A==B) = gdA ∨ gdB : Under the assumption that the two actions exclude each other, the prioritizing composition and choice coincide: A==B ≡ A B if gdA ⇒ ¬gdB : The prioritizing composition of actions is associative: (A==B)==C ≡ A==(B==C) :

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

97

Furthermore, the prioritizing composition of actions distributes over choice to the right: A==(B C) ≡ (A==B) (A==C) : Proof. A==(B C) ≡ A ¬gdA → B ¬gdA → C ≡ A ¬gdA → B A ¬gdA → C ≡ (A==B) (A==C) Other properties of this operator are studied by Sekerinski and Sere [25]. Also, other researchers have been interested in this operator within the weakest precondition framework though for dierent reasons [9, 23]. They mainly study the semantics of the operator whereas Sekerinski and Sere are more interested in the role and use of the operator within the re nement calculus for action systems. 2.4. Parallel composition Consider two action systems, A and B: A = b |[ var v∗ ; x := v0; x0; proc r1∗ = R1 ; : : : ; rm∗ = Rm ; p1 = P1 ; : : : ; pn = Pn ; do A od ]|; z; b B = b |[ var w∗ ; y := w0; y0; proc s1∗ = S1 ; : : : ; sk∗ = Sk ; q1 = Q1 ; : : : ; ql = Ql ; do B od ]| : u; c where x ∩ y = ∅, v ∩ w = ∅, and r ∩ s = ∅, i.e., the variables in x and y and v and w, respectively, are distinct as well as the names of the global procedures r and s. Furthermore, the names of the local procedures declared in the two action systems are required to be distinct. We de ne the parallel composition A k B of A and B to be the action system C = b |[ var d∗ ; x; y := d0; x0; y0; proc r1∗ = R1 ; : : : ; rm∗ = Rm ; s1∗ = S1 ; : : : ; sk∗ = Sk ; p1 = P1 ; : : : ; pn = Pn ; q1 = Q1 ; : : : ; ql = Ql ; do A B od ]| : a; e; where a = z ∪ u − (v ∪ w); e = b ∪ c − (r ∪ s), and d = v ∪ w.

98

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

Thus, parallel composition will combine the state spaces of the two constituent action systems, merging the global variables and global procedures and keeping the local variables distinct. The imported identi ers denote those global variables and/or procedures that are not declared in either A or B. The exported identi ers are the variables and/or procedures declared global in A or B. The procedure declarations and the actions in the parallel composition consists of the procedure declarations and actions in the original systems. Parallel composition is a way of associating a meaning to procedures that are called in an action system but which are not declared there, i.e., they are part of the import list. The meaning can be given by a procedure declared in another action system, provided the procedure has been declared global in that action system. The behavior of a parallel composition of action systems is dependent on how the individual action systems, the reactive components, interact with each other. We have, for instance, that a reactive component does not terminate by itself: termination is a global property of the composed action system. Moreover, communication via global procedures models synchronized communication between two action systems as the calling action in one system and the called procedure in another system are executed as a single atomic action. Shared global variables again can be used to model asynchronous communication between the reactive components. More on these topics can be found elsewhere [6]. 2.5. Prioritizing composition Let the action systems A and B be as above. We de ne the prioritizing composition A==B of A and B to be the action system C = b |[ var d∗ ; x; y := b0; x0; y0; proc r1∗ = R1 ; : : : ; rm∗ = Rm ; s1∗ = S1 ; : : : ; sk∗ = Sk ; p1 = P1 ; : : : ; pn = Pn ; q1 = Q1 ; : : : ; ql = Ql ; do A==B od ]| : a; e; where a; d; e; r and s are as above. The prioritizing composition, like the parallel composition, will combine the state spaces of the two constituent action systems, merging the global variables and keeping the local variables distinct. Both operators are associative allowing us to omit parenthesis in repeated applications [25]. This follows directly from the de nition of the operators on action systems as well as from the fact the prioritizing composition and nondeterministic choice are associative w.r.t. actions. The prioritizing composition A==B behaves as the parallel composition A k B except when an action of A is enabled, in which case it will be taken. An action in B will only be taken if no action in A is enabled.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

99

3. Coordination and coordinators The action systems formalism can be used in two ways to coordinate the work among a set of objects: (i) the objects can participate in joint actions that are scheduled for execution when all the participating objects are enabled, or (ii) we can de ne special action systems, coordinators, that carry out this coordination without eecting the functionality of the participating objects, often only restricting the amount of nondeterminism in them. The former approach to coordination is the usual action systems approach where the coordination is not separated from the rest of the system. This form was also studied in our earlier work [18]. We will here concentrate on the latter form of coordination. We will, however, start by describing how a tuple space, a typical medium for coordination, is modeled in our framework. Both of the approaches above use tuple spaces for communication and coordination purposes. 3.1. Tuple space In a typical coordination language the communication between dierent reactive components is taken care of asynchronously via a tuple space or a multiset. Since shared variables are a common way to achieve asynchronous communication in our framework we can realize such a tuple space by declaring (and exporting) a variable of suitable type. Let T denote the tuple space, i.e., be a variable of type bag. Furthermore, let a tuple be of the form hti where t denotes its contents. The statement add(hti) places the tuple hti in the bag T , rem(hti) removes it from the bag and hti in a boolean expression will check for the presence of the tuple in the bag T . Hence, we de ne the following new constructs: add(hti) = b T := T ∪ {hti}; rem(hti) = b T := t 0: t 0 = T − {hti}; [hti]

= b [hti ∈ T ]:

Note that according to the semantics of the nondeterministic assignment the statement rem(hti) aborts if the tuple hti is not present in the tuple space in the state where the execution of the statement is attempted. The de nition of the tuple space and the associated commands are studied in more detail in our earlier work [18]. 3.2. Coordinators A typical action system to be coordinated has some autonomous activity of its own, below modeled by the action A. The coordination, however, takes place via procedure calls to the global coordination procedures declared in A: A = b |[ proc coordination procedures do A od ]|:

100

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

The coordinator C has typically only autonomous actions C that call the appropriate coordination procedures in other systems: C = b |[do C od]| : coordination procedures: Because the coordination procedures are always enabled, the system to be coordinated cannot refuse to accept the coordination commands at any time. Let C be a coordinating action system and A some other system. Then AkC models a system where the coordinator is a reactive component of the system it is supposed to coordinate. Here the coordination is not enforced, whereas in C==A the coordinator has a higher priority than the other actions of the system and, indeed, enforces coordination. We call this form of coordination pre-emptive. The previous form of coordination is called nonpre-emptive. In both cases above, the communication from A to C is asynchronous, typically via some tuple space. The coordinator, after the appearance of certain tuples in the tuple space, may signal its coordination commands to A using synchronous communication via procedure calls. Another way of thinking about the pre-emptive coordination is to look at two actions A and C. We have that C==A gives preference to C whenever C is enabled. Hence, in case both A and C are enabled, i.e., if gdA ∧ gdC holds, C will always be taken. When A is enabled, but C is not, i.e., if gdA ∧ ¬gdC holds, the action A can be taken. The eect of this is to make the behavior of A more deterministic. Below we give a set of typical examples of coordination problems to illustrate the above aspects. We implicitly assume the existence of a tuple space, i.e. a variable of type bag, that all the reactive components have access to. The examples show only the coordination aspects of the problem at hand. They are inspired by similar examples on RTsynchronizers that were studied during a recent research school on Embedded Systems in Veldhoven, The Netherlands [24]. 3.3. Event coordination In the rst example we have two action systems that model the left and right hands of a robot. The purpose of the coordinator is to ensure that when the left hand wants to give an object to the right hand, the object does not fall, but is indeed transferred from left to right.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

101

Hence, the systems L and R L = b |[ var lhand := false; proc LRel∗ = (lhand := true); do : : : ordinary actions : : : ¬lhand ∧ ¬hlhand:reli → add(hlhand:reli) od ]|; R = b |[ var rhand := false; proc RGrab∗ = (rhand := true); do : : : ordinary actions : : : ¬rhand ∧ ¬hrhand:grabi → add(hrhand:grabi) od ]| announce independently of each other their willingness to transfer an object from system L to system R by placing the relevant event name, lhand:rel and rhand:grab, respectively, into the tuple space. The global procedures in both action systems model the transfer of an object: when the variable lhand has the value true the left hand of the robot has released an object and when the variable rhand has the value true the right hand has obtained it. Originally, both variables are assigned the value false. When the coordinator C below sees the two events announced in the tuple space, it makes the transfer between the hands by calling the coordination procedures LRel and RGrab in L and R, respectively, forcing the transfer to take place in a single atomic action: C = b |[: : : do : : : ordinary actions : : : hlhand:reli ∧ hrhand:grabi → LReljRGrab; rem(hlhand:reli)rem(hrhand:grabi) od]| : LRel; RGrab : We have that the parallel composition LkCkR models the requested behavior as the above action in C expands to hlhand:reli ∧ hrhand:grabi → lhand := true ; rhand := true; rem(hlhand:reli)jrem(hrhand:grabi) according to the substitution principle. Hence, when the left hand releases an object the right hand is simultaneously there to grab it as the coordinator synchronizes this. Observe that the form of coordination is nonpre-emptive meaning that we cannot be sure when the action will be scheduled. It is not necessary for the coordinator to remove the event names from the tuple space in the same action, it could be done in a separate action as well.

102

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

3.4. Periodic events Periodic events occur in real-time applications. We say that an action system A behaves periodically, when it repeatedly sends itself a message as a response to receiving a similar message from itself. The coordinator C xes the periodic invocation of the sending actions in A independently of A which has no knowledge on the length of the period. Let the period be P time units. The coordinator makes the system A to work in fact regularly, i.e., receiving a message at every P time units. The action system A below receives a message mess (here an arbitrary natural number) via its coordination procedure receive. Thereafter it sends a message by placing this message into the tuple space in a separate action as the ag send is true. A = b |[ var send := false; m := m0 :m0 ∈ Nat ; proc receive∗ (mess ∈ Nat) = (m := mess ; send := true) ; do : : : ordinary actions : : : send → add(hmi) ; send := false od ]|: The coordinator C at initialization places an arbitrary natural number mess into the tuple space. When the message has aged P time units, it is sent to A via a call to the coordination procedure receive and removed from the tuple space. C = b |[ varc := now ; mess := m0 ; m0 ∈ Nat ; add(hmessi) ; wait := false ; do : : : ordinary actions : : : hmessi ∧ now = c + P → receive(mess) ; rem(hmessi) ; wait := true hmessi ∧ wait → c := now ; wait := false od ]| : now; receive: Here the variable c models the point of time when the coordinator notices that a message mess appears in the tuple space. We model the passage of time by the action system T that continuously advances time with one time unit. The current time is stored in the variable now that is used in a read-only mode by the coordinator C. T = b |[ var now∗ := n0 :n0 ∈ Nat ; do true → now := now + 1 od ]|: We now have that the system C==A==T allows time to advance only when there is nothing else to do. Moreover, the coordinator C, having the highest priority, will force the system A to receive a message at every P time units via repeated calls of the coordination procedure receive. The system A cannot in uence the periodicity.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

103

3.5. Time bounded buer In a time bounded buer we have a producer–consumer pair communicating asynchronously via a buer. The producer should produce as many elements as it wants at its own pace independently of the consumer. An element in the buer is not allowed to stay there for longer than P time units. The producer P places the elements (here some arbitrary natural numbers) into the buer when the put ag has the value true. At that point the element is stamped with the time of insertion now. The constant PT models the production time of one element in P. Hence, the producer turns put to true when PT time units has elapsed from the previous time it was true, i.e., at the time p+PT where the variable p stores this time stamp. The consumer Q receives elements from the buer via its coordination procedure get. It is not aware of the boundedness of time which is completely handled by the coordinator C. It transfers elements to the consumer by calling the procedure get before the elements get too old, i.e. when now6c + P holds where c is the time the element was placed in the buer. The buer is here modeled by the tuple space. P = b |[ var b := b0 :b0 ∈ Nat ; put := false ; p := now; do : : : ordinary actions : : : ¬put ∧ now = p + PT → put := true ; p := now put → add(hb; nowi) ; put := false od ]| : now; Q = b |[ var b := b0 :b0 ∈ Nat ; proc get ∗ (buf ∈ Nat) = (b := buf ) ; do : : : ordinary actions : : : od ]|; C = b |[ : : : do : : : ordinary actions : : : (∃b; c ∈ Nat:hb; ci ∧ now6c + P → get(b) ; rem(hb; ci)) od ]| : now; get: The requested behavior is modeled by C==(P k Q)==T as highest priority is given to the coordinator action that looks for suitable tuples hb; ci in the tuple space. Here the action system T is as above. Alternatively, we can model dierent types of products, p1 and p2, with dierent deadlines, P1 and P2, respectively, in the buer as follows (we ignore here the manipulations on the put ags which should be treated as above): b |[ : : : P0 = do : : : ordinary actions : : : put1 → add(hb; p1; nowi) ; put1 := false

104

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

put2 → add(hb; p2; nowi) ; put2 := false od ]| : now; C = b |[ : : : do : : : ordinary actions : : : (∃b; c ∈ Nat:hb; p1; ci ∈ B ∧ now6c + P1 → get(b) ; rem(hb; p1; ci)) (∃b; c ∈ Nat:hb; p2; ci ∈ B ∧ now6c + P2 → get(b) ; rem(hb; p2; ci)) od ]| : now; get: Hence, a product of type p1 will stay in the buer for at most P1 time units whereas a product of type p2 is stored in the buer for at most P2 time units. 3.6. Exception handling A special case of coordination is exception handling, where little or no coordination is enforced by the exception handler during normal mode of operation. Instead coordination is only required by the exception handler in order to get the rest of the system back on track when something has gone wrong. Our framework for coordinators also lends itself to the modeling of exception handling. As an example of this way of using coordinators we will outline a way of modeling exception handling in a real-time system with deadlines. The pre-emptive composition C==A==T studied in the examples above, allows time to pass only when there is nothing else to do and thus has progress built into the model. There is no way of missing a deadline and no need for exception handling. There are, however, variations of the composition we think are worth discussing as they lead us into the topic of modeling exceptions. Using parallel composition instead of prioritizing composition yields C k A k T; where all three parts run in parallel. In such a system the coordinator C is nonpreemptive and may miss a deadline and moreover unbounded waiting may occur. In order to prevent unbounded waiting, but still have the exibility of modeling a system where deadlines may be missed we introduce the concept of an exception handler. Such a handler is an action system E with actions b now ¿ (c + Pi ) → : : : ; c := now : Ei = In the following system E==(C k A k T); the coordinator C may miss some deadlines, which leads to the enabling of some action in the exception handler E which ensures that the system will eventually make progress.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

105

Even though we have based our discussion in this section solely on timing constraints, we can also, of course, use the same approach to model other types of exception handlers. Examples of such are dierent forms of hardware interrupts, handlers that take over when we get incorrect sensor readings in safety-critical systems, mechanisms to model failures in the fetch and execute cycle of processors, and so on.

4. Action system reÿnement Action systems are intended to be developed in a stepwise manner within the re nement calculus. Data re nement is often used as a main re nement tool. Here we brie y describe these techniques. Data re nement of action systems is studied in detail elsewhere [7]. 4.1. Data re nement The re nement calculus for actions is based on the following de nition. Action A is re ned by action A0 , written A6A0 , if, whenever A establishes a certain postcondition, so does A0 : A6A0 i ∀Q : wp(A; Q) ⇒ wp(A0 ; Q) : Together with the monotonicity of wp this implies that for a certain precondition, A0 might establish a stronger postcondition than A, i.e. reduce the nondeterminism of A, or even establish postcondition false, i.e. behave miraculously. Choice and sequential composition are both monotonic with respect to re nement in both operands. Moreover, the re nement relation itself is re exive and transitive. Let now A be an action that refers to the variables x; z, denoted A : x; z, and A0 an action that refers to the variables x0 ; z. Then action A is data re ned by action A0 using an abstraction relation R(x; x0 ; z), denoted A6R A0 , if ∀Q:(R ∧ wp(A; Q) ⇒ wp(A0 ; ∃x:R ∧ Q)) : Note that ∃x:R ∧ Q is a predicate on the variables x0 ; z. Let us look at an example. Let A and A0 be the actions below: A = b z ¡ L → x := x ∪ {10} ; z := z + 1; b z ¡ L → x0 := x0 · h10i ; z := z + 1: A0 = Hence, the action A speaks about a multiset x whereas A0 speaks about a sequence x0 . The number of elements in the set is kept in the variable z which is bounded from above by the constant L. We have that A6R A0 using the abstraction relation b x = mseq(x0 ) ∧ z6L ∧ (10 ∈ x ⇒ 10 ∈ mseq(x0 )) R(x; x0 ; z) = where mseq is a function that turns a sequence into a multiset.

106

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

Let procp = P and let R(x; x0 ; z) be an abstraction relation on the involved variables such that P6R P 0 ; where x and x0 are local variables to P and P 0 , respectively and z are the state variables of the system where p is declared. We then have that a call on p with declaration proc p = P is re ned by a call on p with the declaration proc p = P 0 . 4.2. Data re nement of action systems Let A and A0 be two action systems. A = b |[ var z ∗ ; x := z0; x0; procp1∗ = P1 ; : : : ; pj∗ = Pj ; do A od ]| : u; r b |[ var z ∗ ; x0 := z0; x0 0; A0 = procp1∗ = P10 ; : : : ; pj∗ = Pj0 ; do A0 H od ]| : u; r Here the idea is, that some variables x are replaced by the variables x0 . Due to this replacement, the action A is replaced with the action A0 . Some new computation, in terms of the action H , is added into the system. Even the global procedures p have been modi ed. We assume that there are no local procedures around (they have been reduced using the substitution principle). The following de nition states the conditions under which we can consider the action system A to be data re ned by the action system A0 , i.e., when we have that A6R A0 holds for some R(x; x0 ; u; z) where u; z are the variables appearing in both A and A0 . Deÿnition 1. Let A and A0 be action systems as above and R(x; x0 ; u; z) some abstraction relation. Then A6R A0 , if (i) initialization: R(x0; x0 0; u; z0), (ii) procedures: Pi 6R Pi0 , (iii) main actions: A6R A0 , (iv) exit condition: R ∧ gdA ⇒ gdA0 ∨ gdH , (v) auxiliary actions: skip6R H , and (vi) termination of auxiliary computation: R ⇒ wp(do H od; true): Furthermore, when A occurs in a parallel composition with another action system E, then A k E6R A0 k E, if for every action E in E: (vii) non-interference: R ∧ wp(E; true) ⇒ wp(E; R) .

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

107

4.3. Decomposition One method of developing a prioritized or parallel program is to rst specify it without consideration of priorities and parallelism, and then add these in subsequent development steps. If the speci cation is given as an action system the de nitions of the two composition operators directly give a way of doing so. We rst introduce a shorthand for the case when action system A is re ned by action system A0 with same local and global variables as A via some re nement relation: A6A0

i for some R : A6R A0 :

Theorem 2 (Parallel Decomposition). If action system A is of the form A = b |[ var b; c; y∗ ; z ∗ := b0; c0; y0; z0; procp∗ ; q∗ ; do B C od ]| : x; where the variables c do not occur in p; B; and the variables b do not occur in q; C; then A 6 B k C; where B = b |[ var b; y∗ := b0; y0; procp∗ ; do B od ]| : x and C = b |[ var c; z ∗ := c0; z0; proc q∗ ; do C od ]| : x : We also have that B k C6A : This development method for action systems, originally proposed by Back and Sere [6], is also applicable to prioritized programs in a slightly dierent form [25]. Theorem 3 (Prioritizing Decomposition). If action system A is of the form A = b |[ var b; c; y∗ ; z ∗ := b0; c0; y0; z0; procp∗ ; q∗ ; do B g → C od ]| : x; where the variables c do not occur in p; B; variables b do not occur in q; C; and for some predicate I; (a) initialization: I (b0; c0; y0; z0), (b) main actions: (I ∧ wp(B; true) ⇒ wp(B; I )) and (I ∧ wp(C; true) ⇒ wp(C; I )); (c) exit condition: I ∧ ¬gd B ∧ gd C ⇒ g then A 6 B==C; where B = b |[ var b; y∗ := b0; y0; procp∗ ; do B od ]| : x

108

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

and C = b |[ var c; z ∗ := c0; z0; proc q∗ ; do C od ]| : x : Moreover, we are always allowed to give preference to an action system in a parallel composition of action systems: A k B 6 A==B :

(1)

Proof. Let the abstraction relation R be true. Expanding both sides of the re nement relation gives us the following proof obligation: |[ var a; y∗ ; b; z ∗ := a0; y0; b0; z0; procp∗ ; q∗ ; do A B od ]| : x 6true |[ var a; y∗ ; b; z ∗ := a0; y0; b0; z0; procp∗ ; q∗ ; do A==B od ]| : x As there are no auxiliary actions involved in the re nement, it is enough to show that items (i)–(iv) of De nition 1 hold. The exit condition (iv) takes the form gdA∨gdB ⇒ gdA ∨ (¬gdA ∧ gdB). The conditions are easily checked. 4.4. Compositionality Both parallel and prioritizing composition are compositional under the restriction that the abstraction relation R is only over the local variables of the re ned system. When the variables declared global in a system are used in a read-only fashion by other reactive components, this is enough to guarantee compositionality. Hence, under these restriction we have that [25]: A6R A0 ⇒ A k B6R A0 k B :

(2)

Proof. We have to prove that if A6R A0 holds then |[ var a; y∗ ; b; z ∗ := a0; y0; b0; z0; procp∗ = P; q∗ ; do A B od ]| : x 6R |[ var a0 ; y∗ ; b; z ∗ := a0 0; y0; b0; z0; procp∗ = P 0 ; q∗ ; do A0 B od ]| : x De nition 1 requires that only condition (i)–(iv) need to be proved as we have no auxiliary actions. Conditions (i) and (ii) follow from A6R A0 . The main action A B is re ned by A0 B using R, because A6R A0 holds. Moreover, B6R B holds if R is only over the local variables of A and A0 . In case R depends on global variables that are used in a read-only manner by the reactive components of A k B then this also holds. In case R also depends on other global variables, we need the additional requirement (vii) in De nition 1 about noninterference. For condition (iv) we have that R ∧ (gdA ∨ gdB) ⇒ (gdA0 ∨ gdB) which follows from the same condition of A6R A0 . For the prioritizing composition we have: A6R A0 ⇒ A==B6R A0 ==B

(3)

A6R A0 ⇒ B==A6R B==A0 :

(4)

and

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

109

Proof. The right-hand side of rule (3) expands to |[ var a; y∗ ; b; z ∗ := a0; y0; b0; z0; procp∗ = P; q∗ ; do A==B od ]| : x 6R |[ var a0 ; y∗ ; b; z ∗ := a0 0; y0; b0; z0; procp∗ = P 0 ; q∗ ; do A0 ==B od ]| : x Again only conditions (i)–(iv) of De nition 1 need to be checked. The proofs of conditions (i)–(ii) are obvious. For the condition (iii) we need to prove that A==B6R A0 ==B holds. This is shown as follows: A==B6R A0 ==B ≡ A [¬gdA]; B6R A0 [¬gd A0 ]; B ⇐ (A¿R A0 ) ∧ ([¬gdA]6R [¬gdA0 ]) ∧ (B6R B) ≡ {assumptions A6R A0 and B6R B, for p; q : [p]6R [q] i R ∧ q ⇒ p }(∗) R ∧ ¬gdA0 ⇒ ¬gdA ≡ {assumption R ∧ gdA ⇒ gdA0 as A¿R A0 } true In case the abstraction relation R only depends on the local variables of A or global variables used in a read-only manner by the reactive components the above holds. If R also depends on other global variables we need to rely on the noninterference condition (vii) of De nition 1 at the step marked by a star (∗). The proof of the exit condition (iv) is identical to the one above. The proof of rule (4) follows a similar pattern. 5. Constructing coordinators We can develop and re ne coordinators stepwise within the re nement calculus for instance using the strategies below. The coordination procedures themselves can be rst introduced within the calculus as procedural abstractions in a standard way [26]. Thereafter any of the methods below allow us to decompose an initial system speci cation into separate action systems so that some components model the coordination whereas others concentrate on the basic computation in the system. The components can be re ned further in isolation as long as the compositionality properties above hold. When developing a nonpre-emptive coordinator we use parallel decomposition. A 6 A1 k C k A2 ; 0

C6R C ⇒ A1 k C k A2 6R A1 k C0 k A2 : In case pre-emptive coordination is needed, the prioritizing decomposition is used. A 6 C==(A1 k A2 ); 0

C6R C ⇒ C==(A1 k A2 ) 6R C0 ==(A1 k A2 ): Here the systems A1 and A2 are intended to be coordinated by the systems C and C0 . The rst re nement step in both cases is a decomposition step. In practice, such a

110

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

step is justi ed by appealing to Theorems 2 and 3, respectively. In the second step, the idea is that the coordinator C is re ned further and the compositionality rules (2)–(4) imply that the entire system gets re ned. Another strategy in developing coordinators is to let the original system “grow” on both sides using the priority operator: A 6 A==C;

(5)

A 6 C==A:

(6)

In rule (5) we have added a low priority action system C into the system. For this to be a correct re nement, no new global variables can be introduced. In case the actions in C behave as the auxiliary actions in De nition 1, they need to terminate according to condition (vi). Moreover, in case the action system C writes on the global variables of the system A, the eect must be the same as that of the original actions’ in A. Rule (6) is more interesting, because relying on it we can make the original action system A more deterministic. The actions in C that correspond to the auxiliary actions need to terminate. In case C writes on the global variables of A, the eect must be indistinguishable from that of A. The correctness of rule (6) is shown by appealing to De nition 1. Proof. Let the abstraction relation R be true. Expanding both sides of rule (6) we get the following proof obligation: |[ var a; y∗ := a0; y0; procp∗ ; do A od ]| : x 6true |[ var a; y∗ ; c := a0; y0; c0; procp∗ ; do C==A od ]| : x: Conditions (i) and (ii) hold directly. Let C = C1 C2 where C1 writes on the global variables y while C2 writes only on the variables c. Then according to condition (iii) we need to show that A6true C1 ==A: A6true C1 ==A ≡ (A6true C1 ) ∧ (A6true [¬gdC1 ]; A) ≡ {assumption A6true C1 , A6true A}(∗) true The assumption in the step marked by (∗) comes from the fact that we assumed that the eect of C1 on the variables y is the same as the eect of A on y, i.e., A6true C1 holds. The exit condition (iv) holds, because gdA ⇒ gdC ∨ (¬gdC ∧ gdA) holds. The auxiliary action C2 satis es conditions (v) and (vi) according to our assumption. Below we give two dierent examples of coordinators derived within this framework. For the sake of brevity we omit the details of the re nement steps and their proofs of correctness and only present the results.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

111

5.1. A phone system In an earlier study [19] we developed an ImpUNITY speci cation for a system of phones. The initial speci cation was given in UNITY style. The speci cation was re ned into a parallel composition of a number of phones and a switch board: SwitchBoard k Phone1 k : : : k Phonen : The phones place their requests to call other phones in a tuple space. The switch board connects the phones by evaluating the tuples in the tuple space. After a connection has been established between two phones via procedure calls from the switch board, they communicate synchronously using available procedures, basically when disconnecting a call. Hence, the reactive components in the system communicate asynchronously via a tuple space as well as synchronously via procedure calls. When we look at the SwitchBoard as an action system, we observe that it conforms to the general form of a coordinator as de ned in this paper. It consists of a set of actions that calls procedures in the Phonei systems connecting phone calls the same way as the robot coordinator connects events concerning the robot hands in Section 3. Relying on our re nement rule (1) we have that SwitchBoard==(Phone1 k : : : k Phonen ) is a re nement of the original speci cation. The eect of this re nement is that it forces the actions of the switch board to be taken whenever enabled. Let now SwitchBoard6EmergencyCalls k NormalCalls using Theorem 2 again. Here, we can think of the system EmergencyCalls to model certain emergency calls that need immediate attention by the system. They can be modeled by adding into the system a list of callee numbers and when ever such a number is present in the tuple space, which models a request to make a call, the switch board will connect the call without delay. The system NormalCalls models the rest of the calls. The above eect is achieved with the following constructs EmergencyCalls==(NormalCalls k Phone1 k : : : k Phonen ) or EmergencyCalls==NormalCalls==(Phone1 k : : : k Phonen ); both of which are re nements of the rst speci cation. We have again used the re nement rule (1) to justify the steps. 5.2. A message passing system The following case study uses a message passing system as a vehicle to demonstrate the bene ts of developing coordinators in the same framework as the functional aspects

112

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

of the system. The initial speci cation M of the system stores all messages in a bag mail of messages from which the appropriate receiver will pick up messages. The network is of xed size with a set Node of nodes, and messages are passed around in “envelopes” consisting of a designated receiver and the message itself. The type of envelopes is Env = b Node × Msg. M = b |[ var mail∗ := hi ; proc Send∗n ((r; m) : Env) = mail := mail ∪ h(r; m)i for n ∈ Node proc Receiven∗ ((r; m) : Env) = mail := mail\h(r; m)i ; process(m) for n ∈ Node do (∃m | (r; m) ∈ mail) → m := m0 :(r; m0 ) ∈ mail ; Receiver (r; m)) for r ∈ Node od ]| Given a subset PriNode ⊂ Node of prioritized nodes we can, for example, re ne M by augmenting it with a coordinator P that favors messages destined for nodes in PriNode. P = b |[ do (∃m | (p; m) ∈ mail) → m := m0 :(p; m0 ) ∈ mail ; Receivep (p; m)) for p ∈ PriNode od ]| : mail; Receive: De ning b P==M; M0 = we have that M6M0 is a valid re nement by rule (6) since the composed system is a more deterministic version of the abstract one. Another possibility is to favor certain messages instead of certain nodes. The coordinator U can be seen as a router that prioritizes messages that are recognized as being urgent by the function urgent : Msg → Bool. U = b |[ do (∃m | (n; m) ∈ mail ∧ urgent(m)) → m := m0 :((n; m0 ) ∈ mail ∧ urgent(m0 )) ; Receiven (n; m) for n ∈ Node od ]| : mail; Receive The composition favoring urgent messages is de ned as b U==M M00 =

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

113

which is also a more deterministic version of M and thus also a proper re nement by rule (6), i.e. M6M00 : Working in the framework of action systems turns out to be quite exible. Assume we start with the re nement from M to M00 . We can now re ne either component, the controller U or the computational part M separately. Since our prioritizing composition operator is monotonic in its right argument any re nement of M can be used in the composition, including M0 described above, yielding M6U==(P==M) : Due to associativity of the prioritizing composition we can also view the system as (U==P)==M : When doing further re nements we can choose any of the components U, U==P, P==M, or M as a speci cation to re ne further.

6. Conclusions We proposed a uniform action system/re nement calculus-based approach to reasoning about coordination. The formalism, originally designed for the derivation of parallel and distributed systems, was used as such even for this new aspect. The main tool used was the prioritizing composition operator on actions and action systems. In this sense our work is related to MobileUNITY [20], where the coordination statements also have higher priority than the other statements. We exempli ed our methodology using a collection of typical coordination problems from the literature. Only the highlights of the coordination aspects were shown. Moreover, we only gave an informal justi cation for the re nement steps we carried out. Every step can be formally veri ed using the data re nement rules and strategies given in this paper. Even though our re nement rules are compositional, we do need the side conditions on the abstraction relation R as discussed in Section 4. This means that the coordination part and the functional part cannot be re ned completely independent. A change of the data representation in terms of the involved variables in either the coordinator or the functional part requires that the proof obligations for the data re nement are checked for both parts to the extent that both parts refer to the changed variables, this concerns especially the non-interference requirement. However, in practice this can be minimized by well chosen interfaces to the functional part of the system so that there are no shared variables between the two parts or in case this cannot be avoided, the variables are accessed in a read-only manner in one part. Another point is that the coordinator need not be introduced at the most abstract level, but can be introduced at any time, even as

114

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

a nal step of the re nement process. Yet another bene t we have with our approach is the dual view of the coordinator that we can consider as either an ordinary action system or as a separate scheduler, and we can switch views as we see t. The prioritizing composition can be used to model dynamically changing priorities by coding the current priorities in special purpose variables as described by Sekerinski and Sere [25]. Another alternative is to de ne a derived operator for this based on the prioritizing composition operator. Let A and B be actions and de ne A==b\\B

= b

(b → A ¬b → B)==(¬b → A b → B) :

We have that in a state where the boolean b evaluates to true, priority is given to action A over B as A==b\\B reduces to A==B. On the other hand, if the boolean b evaluates to false in some state, the action B has priority over A as A==b\\B reduces to B==A. Hence, by suitably modifying the value of b, the priority is changed dynamically. Details of the properties of this operator and its application in, for instance, formally deriving the scheduling protocols of Sha et al. [27], where dynamic priorities are used, are left for further research. Another interesting and promising direction for future research is the coordination aspects of object-oriented systems. We plan to extend the ideas developed in this paper to our recent framework on object-oriented action systems [10]. Acknowledgements The work reported here is carried out within the projects Cocos and Formet. These projects are supported by the Academy of Finland and the Technology Development Centre of Finland (Tekes). The authors wish to thank the referees for suggesting several improvements to this paper. References [1] G. Agha, Actors: A Model of Concurrent Computation in Distributed Systems, MIT Press, Los Alamos, CA, 1986. [2] F. Arbab, The IWIM Model for coordination of concurrent activities, in: P. Ciancarini, C. Hankin (eds.), Coordination’96: Coordination Languages and Models, Lecture Notes in Computer Science, vol. 1061, Springer, Berlin, 1996. [3] R.J.R. Back, On the correctness of re nement steps in program development, Ph.D. Thesis, Department of Computer Science, University of Helsinki, Helsinki, Finland, 1978. Report A–1978–4. [4] R.J.R. Back, R. Kurki-Suonio, Decentralization of process nets with centralized control, Proc. of the 2nd ACM SIGACT–SIGOPS Symp. on Principles of Distributed Computing, 1983, pp. 131–142. [5] R.J.R. Back, K. Sere, Stepwise re nement of action systems, Struct. Programming 12 (1991) 17–30. [6] R.J.R. Back, K. Sere, From modular systems to action systems, Software – Concepts Tools 17 (1996) 26–39. [7] R.J.R. Back, J. von Wright, Trace re nement of action systems, in: B. Jonsson, J. Parrow (eds.), CONCUR ’94: Concurrency Theory. Proceedings. 1994, Lecture Notes in Computer Science vol. 836 Springer, Berlin, 1994, pp. 367–384. [8] J.-P. Banˆatre, D. Le Metayer, Programming by multiset transformation, Comm. ACM 36(1) (1993) 98–111.

E.J. Hedman et al. / Theoretical Computer Science 240 (2000) 91–115

115

[9] M.M. Bonsangue, J.N. Kok, The weakest precondition calculus: recursion and duality, Formal Aspects Comput. 6(A) (1994) 788–800. [10] M.M. Bonsangue, J. N. Kok, K. Sere, An approach to object-orientation in action systems, in: Mathematics of Program Construction (MPC’98), Marstrand, Sweden, June 1998. Lecture Notes in Computer Science, vol. 1422, Springer, Berlin. [11] N. Carriero, D. Gelernter, Coordination languages and their signi cance, Comm. ACM 35(2) (1982) 97–107. [12] K. Chandy, J. Misra, Parallel Program Design: A Foundation, Addison–Wesley, Reading, MA, 1988. [13] M. Chaudron, E. de Jong, Towards a Compositional Method for Coordinating Gamma Programs, in P. Ciancarini, C. Hankin (eds.), Coordination’96: Coordination Languages and Models, Lecture Notes in Computer Science, vol. 1061, Springer, Berlin, 1996. [14] P. Ciancarini, C. Hankin (eds.), Coordination’96: Coordination Languages and Models, Lecture Notes in Computer Science, vol. 1061, Springer, Berlin, 1996. [15] H.C. Cunningham, G.C. Roman, A UNITY-style programming logic for a shared dataspace language, IEEE Trans. Parallel Distributed Systems 1(3) (1990) 365–376. [16] E.W. Dijkstra, A Discipline of Programming. Prentice–Hall, Englewood Clis, NJ, 1976. [17] D. Garlan, D. Le Metayer (eds.), Coordination’97: Coordination Languages and Models, Lecture Notes in Computer Science, vol. 1282, Springer, Berlin 1997. [18] H.J.M. Goeman, J.N. Kok, K. Sere, R.T. Udink, Coordination in the ImpUNITY Framework, Sci. Compu. Programming 31(2) (1998) 313–334. [19] H.J.M. Goeman, J.N. Kok, K. Sere, R.T. Udink, Coordination in the ImpUnity Framework, in: P. Ciancarini, C. Hankin (eds.), Coordination’96: Coordination Languages and Models, Lecture Notes in Computer Science, vol. 1061, Springer, Berlin, 1996. An extended version appeared as TUCS Technical Report No 50, October 1996. Turku, Finland. [20] P.J. McCann, G.-C. Roman, Compositional programming abstractions for mobile computing. IEEE Trans. Software Engin. 24(2) (1998) 97–110. [21] C.C. Morgan, The speci cation statement, ACM Trans. Programming Languages Systems 10(3) (1988) 403–419. [22] J.M. Morris, A theoretical basis for stepwise re nement and the programming calculus, Sci. Comput. Programming 9 (1987) 287–306. [23] G. Nelson, A generalization of Dijkstra’s calculus, ACM TOPLAS 11(4) (1989) 517–561. [24] S. Ren, G. Agha, A modular approach for programming distributed real-time systems, Hand-Out, European Educational Forum, School on Embedded Systems, Veldhoven, NL, November 1996. [25] E. Sekerinski, K. Sere, A theory of prioritizing composition, Comput. J 39(8) (1986) 701–712. [26] K. Sere, M. Walden, Data re nement of remote procedures, in: M. Abadi, T. Ito (Eds.), Theoretical Aspects of Computer Software, Lecture Notes in Computer Science, vol. 1281, Springer, Berlin, 1997. [27] L. Sha, R. Rajkumar, J.P. Lehoczky, Priority inheritance protocols: an approach to real-time synchronization, IEEE Trans. Comput. 39(9) (1990) 1175–1185. [28] R.T. Udink, J.N. Kok, ImpUNITY: UNITY with procedures and local variables, In: Mathematics of Program Construction’95, Lecture Notes in Computer Science, vol. 947, Springer, Berlin, 1995.